api: do not advertise all forms for backoffice submission to admins (#36988)
This commit is contained in:
parent
7c02aac054
commit
b876213f44
|
@ -464,13 +464,13 @@ def test_backoffice_submission_formdef_list(pub, local_user):
|
|||
assert resp.json['err'] == 0
|
||||
assert len(resp.json['data']) == 0
|
||||
|
||||
# ... unless user is admin
|
||||
# even if user is admin
|
||||
local_user.is_admin = True
|
||||
local_user.store()
|
||||
resp = get_app(pub).get(sign_uri('/api/formdefs/?backoffice-submission=on&NameID=%s' %
|
||||
local_user.name_identifiers[0]))
|
||||
assert resp.json['err'] == 0
|
||||
assert len(resp.json['data']) == 1
|
||||
assert len(resp.json['data']) == 0
|
||||
local_user.is_admin = False
|
||||
local_user.store()
|
||||
|
||||
|
|
11
wcs/api.py
11
wcs/api.py
|
@ -464,12 +464,11 @@ class ApiFormdefsDirectory(Directory):
|
|||
elif backoffice_submission:
|
||||
if not formdef.backoffice_submission_roles:
|
||||
continue
|
||||
if not list_all_forms:
|
||||
for role in user.get_roles():
|
||||
if role in formdef.backoffice_submission_roles:
|
||||
break
|
||||
else:
|
||||
continue
|
||||
for role in user.get_roles():
|
||||
if role in formdef.backoffice_submission_roles:
|
||||
break
|
||||
else:
|
||||
continue
|
||||
elif formdef.roles and user is None and list_all_forms:
|
||||
# anonymous API call, mark authentication as required
|
||||
authentication_required = True
|
||||
|
|
Loading…
Reference in New Issue